Not-Noticeably.net

Skip navigation

CodeGrrl scripts: security flaw

16th November 2005 / 13:55

Tagged: Internet, PHPAskIt, Scripts, Security

Regarding these scripts and ONLY THESE SCRIPTS:

FA-PHPHosting, PHPCalendar, PHPClique, PHPCurrently, PHPFanBase and PHPQuotes

There is a serious vulnerability that can and has been exploited by hackers if left unsecured. Read this post to find out what you can do.

This does NOT, repeat NOT affect my script, PHPAskIt. Please do not keep contacting me asking which file to replace - PHPAskIt, although a CodeGrrl script, is not based on PHPFanBase like the scripts mentioned above and is therefore not vulnerable to the attack.

Spread the word!

Edit: Ok, so we've removed all scripts available at CG. As I said above, PHPAskIt is not affected by the recent hackings and security vulnerabilities and, just to make doubly sure, I've even updated it slightly. Once CG give me the go ahead, I'll put it up again.

If you're using ANY of the scripts mentioned at the top of this post, do this immediately:

  1. Open up protection.php and add this code to the very top (but underneath the opening <? ):

    if ('protection.php' == basename($_SERVER['SCRIPT_FILENAME']))
    die ('Please do not load this page directly. Thank you.');

  2. Find this line AND DELETE IT:

    $logout_page = "$siteurl";

  3. Find these lines:

    setcookie("logincookie[user]","",time() - 86400);
    include($logout_page);
    exit;

  4. Change them to look like this:

    setcookie("logincookie[user]","",time() - 86400);
    include("login.php");
    exit;

The official fix didn't work for me, which is why I suggest you use this one - it stops hackers from getting to the protection.php file directly, and takes the ability to include any site as $siteurl away. Apply some sort of fix as soon as possible.

Edit #2: PHPAskIt DOES NOT REQUIRE REGISTER_GLOBALS TO BE ON. YOU CAN USE IT WITHOUT ANY PROBLEMS!

Comments (6)

  1. Adastra's Gravatar

    Adastra
    16/11/2005 at 22:02

    thank you for the fixes, I've added them to my scripts :)
    I'm using FanAdmin, so I deleted all that stuff from my folder. I just hope FanAdmin won't be hacked sooner or later :/

  2. Jamie's Gravatar

    Jamie
    17/11/2005 at 16:16

    Wow Amelie.. I bet you have a headache already don't you? :(

  3. Bex's Gravatar

    Bex
    17/11/2005 at 23:57

    Thank you so much for the fixes! Thank goodness for people like you with healthy,juicy, php brainmeats!

  4. Meggan's Gravatar

    Meggan
    18/11/2005 at 0:31

    Thanks so much for doing this! My site was one of the ones that was defaced, so I'm really glad to have this fix. :)

  5. Kirsty's Gravatar

    Kirsty
    24/11/2005 at 3:14

    Wow. I now don't regret never switching to php. Do you know if Waks ask and answer is safe? It's the only php script I have.

  6. Amelie's Gravatar

    Amelie
    24/11/2005 at 13:16

    It should be ok but remember that nothing is 100% secure. So far it looks like it's ok, I haven't heard of anyone being hacked using Wak's scripts yet. :)

Previous entry: Further to my last post... | Next entry: I'm keeping nsnet